Custom console route

[jhadvig]

Adding option do specify the custom hostname for console.
When when custom hostname is specified a new console-custom route is created. In case the new hostname doesnt contain the cluster domain as a suffix, secret reference needs to be specified, that points to the secret in the openshift-config namespace, where it needs to be created manually and contain tls cert and its key, which will serve as a serving-cert for the console pod. Also we will maintain the default route so it stays reserved for us.

/assign @benjaminapetersen

API changes - openshift/api#594

[benjaminapetersen]

nit: SyncCustomServigCertSecret has Servig, but should be Serving.

[benjaminapetersen]

So this deviates a little bit from the Validate() in SyncRoute(). Looking into this a bit to make sure its ok.

[jhadvig]

thought that since the Validate() is just checking the To, Port, TLS, WildcardPolicy then it cant hurt to check those on the custom route, since these should be the same

[benjaminapetersen]

Prob should update api.OpenShiftCustomLogoConfigMapName to api.CustomRouteServingCertName.
I dont think we want to call this secret "custom-logo".

[jhadvig]

yep ! will update !

[benjaminapetersen]

I'm not sure I follow the logic entirely here.
Its not really validating the custom route its.... checking if the custom is still on the default ingress domain?

[jhadvig]

yeah, probably bad naming hare. Maybe isDefaultIngressDomain ?

[benjaminapetersen]

The question here is, do we trust the default route, or should we pull in the Ingress Config?

[jhadvig]

So I think we can trust the default route, since we will be maintaining it anyways. Also when creating we are using the default as the router name. Otherwise we are raising a sync error.
Should be ok then ?

[benjaminapetersen]

So this is answering "Is the custom host still on the default ingress domain"?

[jhadvig]

yes

[benjaminapetersen]

I think this will work:

func IsCustomRouteSet(operatorConfig *operatorv1.Console) bool {
	return operatorConfig.Spec.Route.Hostname) != 0
}

[jhadvig]

definitely 👍

[benjaminapetersen]

func IsCustomRouteSecretSet(operatorConfig *operatorv1.Console) bool {
	return len(operatorConfig.Spec.Route.Secret.Name) != 0
}

[benjaminapetersen]

This is to overwrite the existing serving cert with the custom, so we don't have to change the impl in the console to look at a different dir, correct?

[jhadvig]

yes
Thought that we should not need both serving-certs

[stlaz]

I couldn't find an enhancement for this, but I don't understand why you should keep two routes instead of just one. Are both going to be functional at the same time?

[stlaz]

you can keep just this function instead of having two, just

func (c *RouteSyncController) removeRoute(routeName string) error {
    klog.V(2).Infof("deleting %s route", routeName)
    err := c.routeClient.Routes(c.targetNamespace).Delete(routeName, &metav1.DeleteOptions{})
    if apierrors.IsNotFound(err) {
        return nil
    }
    return err
}

You may want to get rid of the defer log because it would appear even in the case of an error

[stlaz]

actually, you would want to remove the other log line as well as that would appear on every sync even if the route was already removed...

[stlaz]

As Ben suggested, move the IsCustomRouteSet() check here and return early if false

[stlaz]

why are you syncing this? Also, I'd advise to use the name "RouteCert" instead of serving-cert because the latter is more commonly used for the certificate the pod uses for serving, rather than the certificate the route uses.

[jhadvig]

why are you syncing this?

we need to since the secret that contains the custom serving-cert from openshift-config, where the user/admin needs to create it manually, into the openshift-console, so we can mount it into the console pod

[stlaz]

But you don't want to mount it in the pod, you want to have that inserted into the route

[stlaz]

why are you mounting this? The contents are supposed to be used in the route's spec.tls.termination.{cert,key,caCertificate} fields

[stlaz]

Also, you should have a hard requirement on the secret you're syncing to contain all of tls.crt, tls.key and ca.crt fields

[jhadvig]

why are you mounting this? The contents are supposed to be used in the route's spec.tls.termination.{cert,key,caCertificate} fields

I though that the secret needs to be mounted into the console pod.

why are you mounting this? The contents are supposed to be used in the route's spec.tls.termination.{cert,key,caCertificate} fields

also ca.crt?
all of them needs to be used in the route's spec.tls.termination.{cert,key,caCertificate} fields?

[stlaz]

I think you would want to have the CA certificate there as well to prevent issues that the routing team has - openshift/cluster-ingress-operator#329. Generally, it would make your life easier.

Also, you should validate the secret and don't progress further if it's invalid.

[stlaz]

where's all the fancy certificate stuff you're doing this for?

[jhadvig]

@stlaz so to point of having two routes is to have the default one reserved, in case that somebody could create one which would block admitting the default route if recreated. The default one will be active only in case that the custom route suffix will match the cluster domain

[jhadvig]

@stlaz @benjaminapetersen I've update the PR based on your comments.
Removed mounting the secret as a serving-cert into the console pod and instead setting the cert and key on the custom route.

PTAL

[jhadvig]

The unit tests are failing cause will update them after after we align on the logic, since that will be pretty big change itself

[stlaz]

needs tests

[jhadvig]

@benjaminapetersen @stlaz comments addressed. PTAL

[benjaminapetersen]

I'm a little confused by the comment, it implies something should be done, but it immediately returns nil, nil.

[stlaz]

+ what if the user just wanted their custom certificate for the route in cluster domain?

[jhadvig]

The comment is wrong... if the suffix matches cluster domain then the secret is not necessary

[stlaz]

but the user may still want their certificate to be used instead of the ones that the router adds by default, correct?

[benjaminapetersen]

I think we only need to pass kubeClient.CoreV1() once.

[benjaminapetersen]

Ah, I see what we did, we have our clients slightly misnamed. Hmm. And we do it in all our controllers. :)

[jhadvig]

This is needed to set the route.spec.tls fields

[stlaz]

getting there

[stlaz]

nit: just return c.secretClient.Secrets(api.OpenShiftConfigNamespace).Get(c.ctx, operatorConfig.Spec.Route.Secret.Name, metav1.GetOptions{})

[stlaz]

like I said - I configured my custom route within the cluster domain and configured a custom cert I want it to use, why don't you honor it?

[stlaz]

why are you doing this?

[stlaz]

("failed to decode certificate PEM: %v", err) please

[stlaz]

ah, nvm, pem.Decode does not return error, my bad

[stlaz]

why are you doing this?

[stlaz]

this is no place for this check though, you should be able to apply the route no matter what its status is.

Also, are you 100% sure that this will be valid even for routes outside the cluster domain?

[stlaz]

thanks, I completely forgot you should also be checking at least the expiry date. For example, this certificate appears to have expired 4 years ago.

            Not Before: Apr  5 15:15:55 2013 GMT
            Not After : Apr  4 15:15:55 2015 GM

[benjaminapetersen]

Too bad we have to add this, I liked that we didn't read secrets from here.

[benjaminapetersen]

Not that we ARE reading them all, just that now we can. but we are only doing a GET on the one that matters to us.

[jhadvig]

Other solution would be to have the secret name as API, then we could specify only that single one... but not sure if thats worth it.

[benjaminapetersen]

/approve

So long as @stlaz is happy, we can tag this!

[jhadvig]

/retest

[stlaz]

just a few more cosmetic changes, otherwise LGTM

[stlaz]

nit: should have stayed below

[stlaz]

you probably don't need to check this since you're checking the presence of the interesting keys later on

[stlaz]

nit:

if _, err := x509.x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
    if _, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
    ...
    }
}

[stlaz]

is not a valid private key PEM

[jhadvig]

@stlaz comments addressed.. lets merge this baby 😄

[stlaz]

/lgtm
🥳

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benjaminapetersen, jhadvig, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [benjaminapetersen]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stlaz]

/retest

[spadgett]

/retest

[jhadvig]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.